Check: PHTN-67-000067
VMware vSphere 6.7 Photon OS STIG:
PHTN-67-000067
(in versions v1 r6 through v1 r1)
Title
The Photon operating system must configure sshd to use FIPS 140-2 ciphers. (Cat I impact)
Discussion
Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms such as encryption to protect confidentiality. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch). The operating system can meet this requirement through leveraging a cryptographic module. Satisfies: SRG-OS-000394-GPOS-00174, SRG-OS-000424-GPOS-00188, SRG-OS-000478-GPOS-00223
Check Content
At the command line, execute the following command: # sshd -T|&grep -i Ciphers Expected result: ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr If the output does not match the expected result, this is a finding.
Fix Text
Open /etc/ssh/sshd_config with a text editor. Ensure that the "Ciphers" line is uncommented and set to the following: Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr At the command line, execute the following command: # service sshd reload
Additional Identifiers
Rule ID: SV-239138r877381_rule
Vulnerability ID: V-239138
Group Title: SRG-OS-000394-GPOS-00174
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002421 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. |
CCI-002450 |
The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
CCI-003123 |
The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. |